Dietpi-VPN GATEWAY with Pivpn server and Pihole

black00019 · April 18, 2023, 8:10am

Hi,
I have installed PiVPN Server and PiHole,
I have settings also Dietpi-VPN Protonvpn, and when connect protonvpn, dietpi not connected to internet (ping not work, curl not work)
I tried a fresh installation.
I want also the dietpi-vpn works like a gateway vpn
Anyone help me
thanks

Jappe · April 18, 2023, 8:25am

Did you have IP forwarding enabled?
cat /proc/sys/net/ipv4/ip_forward
If the outptut is 1, it is enabled.

And can’t you ping anything, or just IPs and no domains?

And you want to connect to your device via dietpi-vpn and the internet connection of your device is going out via the proton tunnel or what is you goal to achieve?

Joulinar · April 18, 2023, 8:32am

The issue is the 2 VPN running (1 server and 1 client). Usually this is not that simple to setup. It requires manual settings and some iptables rules to ensure correct routing.

Maybe @trendy can have a look

trendy · April 18, 2023, 8:58am

Yes, sure!
What is the output of:

ip -4 addr; ip -4 ro list table all; ip -4 ru; iptables-save -c

Also paste here the tunnel configurations, without the keys, and any up-scripts that are executed when the script comes up.

black00019 · April 20, 2023, 7:39pm

thanks
cat /proc/sys/net/ipv4/ip_forward = 1
ping work only in address on my local network

black00019 · April 20, 2023, 7:42pm

error post later
bye

trendy · April 20, 2023, 10:30pm

From what you have shown I see only one vpn running, most likely is your vpn server on the dietpi.
You need to run all the commands (you missed the iptables) when the vpn client is also up.
If my understanding is correct you want to have one VPN server to connect from the internet and one VPN client to forward all your traffic.

black00019 · April 22, 2023, 6:12am

root@DietPi:~# ip -4 addr; ip -4 ro list table all; ip -4 ru; iptables-save -c
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.10.5/24 brd 192.168.10.255 scope global eth0
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.6.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet 10.17.0.12/16 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.17.0.1 dev tun0 
default via 192.168.10.1 dev eth0 onlink 
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1 
10.17.0.0/16 dev tun0 proto kernel scope link src 10.17.0.12 
128.0.0.0/1 via 10.17.0.1 dev tun0 
169.150.218.70 via 192.168.10.1 dev eth0 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.5 
local 10.6.0.1 dev wg0 table local proto kernel scope host src 10.6.0.1 
broadcast 10.6.0.255 dev wg0 table local proto kernel scope link src 10.6.0.1 
local 10.17.0.12 dev tun0 table local proto kernel scope host src 10.17.0.12 
broadcast 10.17.255.255 dev tun0 table local proto kernel scope link src 10.17.0.12 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1 
broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1 
local 192.168.10.5 dev eth0 table local proto kernel scope host src 192.168.10.5 
broadcast 192.168.10.255 dev eth0 table local proto kernel scope link src 192.168.10.5 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
# Generated by iptables-save v1.8.7 on Sat Apr 22 08:09:26 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[2532690:2916344140] -A FORWARD -j DOCKER-USER
[2532690:2916344140] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 2525 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[2532690:2916344140] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[3627671:4237369580] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Sat Apr 22 08:09:26 2023
# Generated by iptables-save v1.8.7 on Sat Apr 22 08:09:26 2023
*nat
:PREROUTING ACCEPT [1261303:157504509]
:INPUT ACCEPT [1243120:151148706]
:OUTPUT ACCEPT [751071:61306343]
:POSTROUTING ACCEPT [751071:61306343]
:DOCKER - [0:0]
[871756:106443388] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[18183:6355803] -A POSTROUTING -s 10.6.0.0/24 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 2525 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 2520 -j DNAT --to-destination 172.17.0.2:2525
COMMIT
# Completed on Sat Apr 22 08:09:26 2023

trendy · April 23, 2023, 8:24am

Add a new routing table, needs to be done once.

echo '10 isp' >> /etc/iproute2/rt_tables

You need to masquerade the traffic from the wg to the vpn tunnel.

iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o tun0 -m comment --comment wireguard-nat-rule-2 -j MASQUERADE`

Then you need to make a rule for the wg-server traffic and send that traffic to the new routing table

ip route add to default via 192.168.10.1 table isp
ip rule add iif lo sport 51820 to default lookup isp prio 15000

Change 51820 with the wireguard source port you are using. These commands should be part of the up-script for the vpn-client connection.

black00019 · April 23, 2023, 1:40pm

Thanks you
With this changes;
when i disconnect my protonvpn from dietpi-vpn, the connections works normally?
How to save my iptables configurations (and how to restore) if i some problems?

thanks a lot

trendy · April 23, 2023, 2:30pm

These changes are not much affecting the vpn client, except that it enables the masquerade on tun0.
You can save the iptables with

iptables-save > /tmp/fw-backup

and restore with

iptables-restore < /tmp/fw-backup

black00019 · April 28, 2023, 1:45pm

does the rule affect only the vpn client or all clients connected to the dietpi, for example those connected locally to pihole’s dhcp?

trendy · April 28, 2023, 9:15pm

The rule is telling the system to use your ISP as uplink for the wireguard packets.